1 files changed, 76 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2017-10971-1.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2017-10971-1.patch
new file mode 100644
index 0000000000..23c8049896
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2017-10971-1.patch
@@ -0,0 +1,76 @@
+From 215f894965df5fb0bb45b107d84524e700d2073c Mon Sep 17 00:00:00 2001
+From: Michal Srb <msrb@suse.com>
+Date: Wed, 24 May 2017 15:54:40 +0300
+Subject: [PATCH] dix: Disallow GenericEvent in SendEvent request.
+The SendEvent request holds xEvent which is exactly 32 bytes long, no more,
+no less. Both ProcSendEvent and SProcSendEvent verify that the received data
+exactly match the request size. However nothing stops the client from passing
+in event with xEvent::type = GenericEvent and any value of
+xGenericEvent::length.
+In the case of ProcSendEvent, the event will be eventually passed to
+WriteEventsToClient which will see that it is Generic event and copy the
+arbitrary length from the receive buffer (and possibly past it) and send it to
+the other client. This allows clients to copy unitialized heap memory out of X
+server or to crash it.
+In case of SProcSendEvent, it will attempt to swap the incoming event by
+calling a swapping function from the EventSwapVector array. The swapped event
+is written to target buffer, which in this case is local xEvent variable. The
+xEvent variable is 32 bytes long, but the swapping functions for GenericEvents
+expect that the target buffer has size matching the size of the source
+GenericEvent. This allows clients to cause stack buffer overflows.
+Signed-off-by: Michal Srb <msrb@suse.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+CVE: CVE-2017-10971
+Upstream-Status: Backport [https://cgit.freedesktop.org/xorg/xserver/commit/?id=215f894965df5fb0bb45b107d84524e700d2073c]
+Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
+---
+ dix/events.c  |    6 ++++++
+ dix/swapreq.c |    7 +++++++
+ 2 files changed, 13 insertions(+)
+diff --git a/dix/events.c b/dix/events.c
+index 3e3a01e..d3a33ea 100644
+--- a/dix/events.c
+++ b/dix/events.c
+@@ -5366,6 +5366,12 @@ ProcSendEvent(ClientPtr client)
+         client->errorValue = stuff->event.u.u.type;
+         return BadValue;
+     }
+    /* Generic events can have variable size, but SendEvent request holds
+       exactly 32B of event data. */
+    if (stuff->event.u.u.type == GenericEvent) {
+        client->errorValue = stuff->event.u.u.type;
+        return BadValue;
+    }
+     if (stuff->event.u.u.type == ClientMessage &&
+         stuff->event.u.u.detail != 8 &&
+         stuff->event.u.u.detail != 16 && stuff->event.u.u.detail != 32) {
+diff --git a/dix/swapreq.c b/dix/swapreq.c
+index 719e9b8..6785059 100644
+--- a/dix/swapreq.c
+++ b/dix/swapreq.c
+@@ -292,6 +292,13 @@ SProcSendEvent(ClientPtr client)
+     swapl(&stuff->destination);
+     swapl(&stuff->eventMask);
+ 
+    /* Generic events can have variable size, but SendEvent request holds
+       exactly 32B of event data. */
+    if (stuff->event.u.u.type == GenericEvent) {
+        client->errorValue = stuff->event.u.u.type;
+        return BadValue;
+    }
+
+     /* Swap event */
+     proc = EventSwapVector[stuff->event.u.u.type & 0177];
+     if (!proc || proc == NotImplemented)        /* no swapping proc; invalid event type? */
+-- 
+1.7.9.5

diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2017-10971-1.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2017-10971-1.patch new file mode 100644 index 0000000000..23c8049896 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2017-10971-1.patch
@@ -0,0 +1,76 @@
	1	From 215f894965df5fb0bb45b107d84524e700d2073c Mon Sep 17 00:00:00 2001
	2	From: Michal Srb <msrb@suse.com>
	3	Date: Wed, 24 May 2017 15:54:40 +0300
	4	Subject: [PATCH] dix: Disallow GenericEvent in SendEvent request.
	5
	6	The SendEvent request holds xEvent which is exactly 32 bytes long, no more,
	7	no less. Both ProcSendEvent and SProcSendEvent verify that the received data
	8	exactly match the request size. However nothing stops the client from passing
	9	in event with xEvent::type = GenericEvent and any value of
	10	xGenericEvent::length.
	11
	12	In the case of ProcSendEvent, the event will be eventually passed to
	13	WriteEventsToClient which will see that it is Generic event and copy the
	14	arbitrary length from the receive buffer (and possibly past it) and send it to
	15	the other client. This allows clients to copy unitialized heap memory out of X
	16	server or to crash it.
	17
	18	In case of SProcSendEvent, it will attempt to swap the incoming event by
	19	calling a swapping function from the EventSwapVector array. The swapped event
	20	is written to target buffer, which in this case is local xEvent variable. The
	21	xEvent variable is 32 bytes long, but the swapping functions for GenericEvents
	22	expect that the target buffer has size matching the size of the source
	23	GenericEvent. This allows clients to cause stack buffer overflows.
	24
	25	Signed-off-by: Michal Srb <msrb@suse.com>
	26	Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
	27	Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
	28
	29	CVE: CVE-2017-10971
	30
	31	Upstream-Status: Backport [https://cgit.freedesktop.org/xorg/xserver/commit/?id=215f894965df5fb0bb45b107d84524e700d2073c]
	32
	33	Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
	34	---
	35	dix/events.c \| 6 ++++++
	36	dix/swapreq.c \| 7 +++++++
	37	2 files changed, 13 insertions(+)
	38
	39	diff --git a/dix/events.c b/dix/events.c
	40	index 3e3a01e..d3a33ea 100644
	41	--- a/dix/events.c
	42	+++ b/dix/events.c
	43	@@ -5366,6 +5366,12 @@ ProcSendEvent(ClientPtr client)
	44	client->errorValue = stuff->event.u.u.type;
	45	return BadValue;
	46	}
	47	+ /* Generic events can have variable size, but SendEvent request holds
	48	+ exactly 32B of event data. */
	49	+ if (stuff->event.u.u.type == GenericEvent) {
	50	+ client->errorValue = stuff->event.u.u.type;
	51	+ return BadValue;
	52	+ }
	53	if (stuff->event.u.u.type == ClientMessage &&
	54	stuff->event.u.u.detail != 8 &&
	55	stuff->event.u.u.detail != 16 && stuff->event.u.u.detail != 32) {
	56	diff --git a/dix/swapreq.c b/dix/swapreq.c
	57	index 719e9b8..6785059 100644
	58	--- a/dix/swapreq.c
	59	+++ b/dix/swapreq.c
	60	@@ -292,6 +292,13 @@ SProcSendEvent(ClientPtr client)
	61	swapl(&stuff->destination);
	62	swapl(&stuff->eventMask);
	63
	64	+ /* Generic events can have variable size, but SendEvent request holds
	65	+ exactly 32B of event data. */
	66	+ if (stuff->event.u.u.type == GenericEvent) {
	67	+ client->errorValue = stuff->event.u.u.type;
	68	+ return BadValue;
	69	+ }
	70	+
	71	/* Swap event */
	72	proc = EventSwapVector[stuff->event.u.u.type & 0177];
	73	if (!proc \|\| proc == NotImplemented) /* no swapping proc; invalid event type? */
	74	--
	75	1.7.9.5
	76